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^In  this  paper,  one  of  a  scries  on  verification  of  concurrent  programs,  present  proof  methods 
for  establishing  eventuality  and  until  properties.  The  methods  are  based  on  well-founded  ranking 
and  arc  applicable  to  botlr**just,,iiand  '’“fair’^computalions.  These  methods  do  not  assume  a 
decrease  of  the  rank  at  each  compulation  step.  It  is  sufficient  that  there  exists  one  process  which 
decreases  the  rank  when  activated.  Fairness  then  ensures  that  the  program  will  eventually  attain 
its  goal. 


In  the  finite  state  case  the  proofs  can  be  represented  by  diagrams.  Several  examples  are  given. 
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INTRODUCTION 


In  a  previous  report  [MP1]  we  introduced  the  temporal  framework  for  reasoning  about  pro¬ 
grams.  We  described  a  model  of  concurrent  programs  which  is  based  on  interaction  via  shared 
variables  and  defined  the  concept  of  fair  execution  of  such  programs.  We  then  demonstrated  the 
application  of  temporal  logic  formalism  for  expressing  properties  of  concurrent  programs.  Program 
properties  can  be  classified  according  to  the  syntactic  form  of  the  temporal  formula  expressing 
them;  we  studied  three  classes  of  properties:  invariance  properties,  eventuality  properties  and 
precedence  (“until”)  properties.  Most  program  properties  that  have  been  previously  considered  or 
studied  for  sequential  and  concurrent  programs  fall  into  one  of  these  three  categories. 

In  a  second  report  [MP2],  we  developed  proof  principles  based  on  temporal  logic  for  establishing 
that  concurrent  programs  possess  properties  of  these  classes.  We  presented  a  proof  method  for 
each  class  of  properties. 

•  A  single  invariance  principle  is  adequate  for  establishing  invariance  properties. 

•  For  proving  eventuality  properties,  we  recommended  a  chain  reasoning  approach,  in 

which  we  follow  the  possible  chains  of  events  until  the  desired  goal  is  realized.  Several 
proof  principles  were  introduced  for  establishing  the  basic  steps  in  the  chain.  A  similar 
approach  is  presented  in  (OL). 

•  Simple  precedence  properties  may  be  proved  by  a  combination  of  invariance  proofs  and 

eventuality  proofs.  A  forthcoming  report  ([MP3])  will  discuss  proof  methods  for  general 
precedence  properties. 

In  this  paper,  we  present  an  alternative  method  for  proving  eventuality  and  “until”  properties 
based  on  convergence  functions  (well-founded  rankings). 

In  our  exposition,  we  assume  that  the  reader  is  familiar  with  the  basic  concepts  and  definitions 
introduced  in  [MPl]  and  [MP2], 

THE  CONVERGENCE  FUNCTION  APPROACH 


Unlike  the  chain  reasoning  approach,  which  displays  a  variety  of  strategies  and  rules,  the 
convergence  function  approach  provides  a  single  uniform  principle  for  proving  eventualities  of  the 
form: 


►  p  D  Oip, 

(«.e.,  if  <p  ever  arises  it  must  be  followed  by  ip),  as  well  as  “until”  properties  of  the  form 

»  ip  D  (x  U  ip), 

(i.e.,  if  <p  ever  arises  it  must  be  followed  by  an  instant  at  which  ip  is  realized  and  between  the 
occurrences  of  <p  and  ip,  \  must  hold  continuously). 

With  respect  to  uniformity,  the  convergence  function  approach  resembles  the  invariance 
principle  for  proving  invariance  properties.  Another  common  feature  is  that  establishing  the 
premises  to  the  proof  rule  requires  only  static  (non-temporal)  reasoning. 
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Convergence  functions  have  been  used  successfully  in  proofs  of  termination  of  sequential 
programs  and  of  rewriting  systems  ( e.g .,  [M],  [DM]).  Their  use  is  based  on  a  mapping  from 
the  execution  states  of  a  program  into  a  well-founded  set,  such  that  states  which  appear  later 
in  a  computation  correspond  to  lower  values  in  the  set.  Consequently,  a  complete  computation 
will  correspond  tc  a  descending  sequence,  and  an  inflnite  computation  would  correspond  to  an 
infinitely  descending  sequence  of  well-founded  elements,  which  is  impossible.  Such  a  mapping  is 
called  a  convergence  function  or  a  ranking  function. 

A  well-founded  structure  ( W ,  >~)  consists  of  a  set  W  and  a  partial  order  >-  on  W  such  that 
any  decreasing  sequence  wq  y  w\  >-  ti>2  >-  •  •  • ,  where  w<  6  W  is  finite.  A  typical  and  frequently 
used  well-founded  structure  is  (N,  >),  where  N  is  the  set  of  all  non  negative  integers,  and  >  is 
the  usual  “greater  than”  ordering.  Obviously  we  cannot  have  an  infinitely  decreasing  sequence  of 
nonnegative  integers,  and  therefore  ( N ,  >)  is  indeed  a  well-founded  structure. 

A  general  method  for  deriving  composite  well-founded  structures  from  simpler  ones  is  the 
formation  of  lexicographical  orderings.  Let  (W\,  >- 1)  and  ( W2 ,  >-2)  be  two  well-founded  structures. 
Then  the  structure  given  by  X  W2,  >1  «*)  where  the  lexicographic  ordering  >-jex  is  defined  by 

(mi,m2)  >-j«*  (ni,n2)  *=>  (mi  >-1  «i)  or  (mi  =  r»i  and  m2  >-2  n2) 

is  also  well-founded. 

Let  us  consider  the  application  of  the  classical  convergence  function  approach  to  the  following 
concurrent  program: 

Example  A  (Program  DGCD  — :  distributed  ged  computation) 

{yi.ya)  ■=  (*i> *2) 


to  • 

while  yi  ^  y2  do 

mo  :  while  yi  y?  do 

if  Vi  >  y-i  then  yi  :=  yt  -  y3 

if  Vi  <  V2  then  y2  :=  y2  -  yi 

h  : 

halt 

mi  :  halt 

— 

Pi  - 

-  P2  - 

This  program  performs  the  distributed  computation  of  the  ged  (greatest  common  divisor) 
of  two  positive  integers  inputs  xj,x2.  In  the  execution  of  this  program,  we  assume  each  of  the 
labelled  instructions  to  be  atomic  in  the  sense  that  testing  and  modification  of  the  variables  by  one 
process,  say  Pi  at  to,  are  completed  before  the  other  process  may  access  them.  Note  that  when 
Pi  is  activated  in  a  state  in  which  yi  <  y2  it  docs  not  modify  any  of  the  variables  and  returns 
to  /o,  thus  replicating  exactly  the  original  state.  Consequently,  the  termination,  and  hence  the 
correctness  or  this  program,  depends  very  strongly  on  the  basic  assumption  of  fairness  that  we 
assume  throughout  this  work.  Only  under  fairness  would  each  of  Pj  and  P2  be  activated  as  often 
as  needed  until  convergence  is  achieved. 

Trying  to  prove  the  convergence  of  this  program  by  well-founded  ranking  immediately  runs 
into  difficulties  when  we  fail  to  find  a  mapping  into  a  well-founded  set  that  will  decrease  at  every 
step  of  the  computation.  No  such  function  can  exist  for  the  above  program  since,  as  observed 
earlier,  some  steps  may  preserve  the  state  and  leave  the  value  of  a  state-dependent  convergence 


function  constant.  This  points  out  emphatically  that  any  well-rounded  argument  may  succeed  only 
if  it  takes  fairness  into  account. 


PROGRAMS  AND  COMPUTATIONS 


For  completeness  we  repeat  some  of  the  definitions  of  [MPt]  and  introduce  some  additional 
notation  required  here.  Let  P  be  a  program  consisting  of  m  parallel  processes: 

P  :  V  :=  fo{x)',  (Pi|| . . .  ||.Pm]. 

Each  process  Pi  may  be  represented  as  a  transition  graph  with  locations  (nodes)  labelled  by  elements 
of  Li  =  The  edges  in  the  graph  are  labelled  by  guarded  commands  of  the  form 

e(V)  [&  :=  /(y)]  whose  meaning  is  that  if  c(y)  is  true  the  edge  may  be  traversed  while  replacing 
V  by  /(y). 

Let  t,£x,  L",  be  locations  in  process  ?,•: 

ci(y)-  (y:=/i(y)l  /—s 


cfe(y)  -  (y  :=  A(y)l 


We  define  Et(y)  =  ci  (y)V  ...  V  c*(j/)  to  be  the  exit  condition  at  node  l.  Locations  in  the 
program  can  be  classified  according  to  their  exit  conditions. 

•  A  location  is  regular  if  Et  =  true.  This  is  the  case  with  locations  such  that  the  set  of 

conditions  labeling  their  outgoing  transitions  is  exhaustive  in  the  sense  that  for  every 
possible  value  of  p  at  least  one  transition  is  enabled.  The  only  irregular  locations  are 
terminal  locations  and  semaphore  locations  discussed  next. 

•  A  location  is  terminal  if  Et  =  false.  This  is  the  case  with  locations  labeling  halt 

instructions  which  have  no  outgoing  transitions.  In  our  model  we  usually  label  these 
locations  by  t,. 

•  Any  location  l  such  that  the  exit  condition  /?*(y)  is  nontrivial  is  called  a  semaphore  loca¬ 

tion.  Examples  of  such  locations  arc  those  corresponding  to  the  instruction  requeat(yr) 
whose  transition  diagram  is: 

(Vr  >  0)  [yr  :=  yT  -  1] 
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Note  that  Et(y)  =  (yr  >  0).  The  request  instruction  is  used  in  order  to  reserve  a 
resource,  where  yr  may  be  considered  as  counting  the  number  of  units  of  this  resource 
currently  available.  Its  symmetric  counterpart,  the  release(yr)  instruction,  is  used  to 
release  a  reserved  resource.  Its  transition  diagram  is: 

true  -►  [yr  :=  yr  +  1) 


The  release  instruction  has  as  its  exit  condition  Et  =  true.  Consequently  its  location 
is  a  regular  location. 

A  state  of  the  program  P  is  a  tuple  of  the  form  s  =  (t;fj)  with  t  6  jCi  X  ...  X  Lm  and 
fj  6  Dn,  where  D  is  the  domain  over  which  the  program  variables  y i,  . . .  ,yn  range.  The  vector  t 
is  the  set  of  current  locations  which  are  next  to  be  executed  in  each  of  the  processes.  The  vector 
fj  is  the  set  of  current  values  assumed  by  the  program  variables  y  at  state  a. 

With  each  process  P,  we  associate  a  state  transition  function  <7,  that  represents  the  possible 
outcomes  of  the  activation  of  the  process  P,  on  the  state  8.  If  we  denote  by  S  the  set  of  all  possible 
program  states,  g,  is  a  function  :  S  —*■  2s. 

Note  that  this  definition  allows  for  the  possibility  that  Pt-  is  nondeterministic,  since  it  is  possible 
that  |p,(s)|  >  1,  i.e.,  there  is  more  than  one  successor  to  s.  Let  s  =  (?;  fj).  If  is  a  terminal 
location,  or  a  semaphore  location  with  E^rf)  = false,  then  Pj  cannot  be  activated  on  s.  In  such 
a  case  </,(s)  =  <f>  and  we  say  that  P,  is  disabled  on  8.  If  is  a  regular  location,  or  a  semaphore 
location  with  E^fj)  —  true  then  gi(s)  7^  «f>  and  we  say  that  Pi  is  enabled  on  a. 

A  state  s  £  S  such  that  all  processes  are  disabled  on  a  is  called  terminal.  A  terminal  state 
corresponds  cither  to  a  situation  in  which  all  processes  have  terminated  or  to  a  deadlock  in  which 
all  the  nonterminated  processes  wait  in  a  semaphore  location  with  a  false  exit  condition. 

•  An  admissible  computation  is  a  labelled  (possibly  infinite)  sequence: 

Pi,  Pi ,  Pi, 

o  :  8 0  - *  a  j  - >  82  - >  83  ... 

such  that  every  ay  €  S  and  for  every  j  >  0,  we  have  ay+j  G  j7t}+1(sy).  Thus,  such  a 
computation  could  arise  by  an  execution  of  the  program  starting  from  the  initial  state  80. 

The  computation  will  be  finite  only  if  it  terminates  in  a  terminal  state  ar.  We  can  think 
of  such  a  computation  as  generated  under  the  guidance  of  an  imaginary  scheduler  which 
at  each  step  selects  one  of  the  processes  (called  the  activated  or  scheduled  process)  and  lets 
it  execute  a  single  instruction. 

•  A  f- initialized  computation  is  an  admissible  computation  in  which  80  =  {to,  .  • .  >^(p;/o(£)). 

Here  /j,  is  the  initial  location  in  process  Pi  and  /o  is  the  initial  assignment  to  the  program 
variables. 

•  A  computation  is  a  ^-initialized  computation  or  a  suflix  of  a  ^-initialized  computation. 

Allowing  8uflixes  of  initialized  computations  enables  us  to  study  program  behavior  which 
may  become  observable  only  later  in  the  computation. 

•  A  <p- computation  is  a  ^-computation  for  any  input  values  4  satisfying  a  precondition  <p. 

The  next  definition  embodies  the  basic  assumption  of  fairness: 


An  admissible  computation  a  is  fair  if  there  1b  no  process  Pt-  such  that  I\  is  enabled  an  infinite 
number  of  times  in  a,  and  P,  is  activated  only  finitely  many  times.  Thus,  fairness  requires  the 
imaginary  scheduler  to  monitor  the  number  of  times  a  process  becomes  enabled,  and  to  ensure  that 
repeatedly  enabled  ones  are  not  neglected  forever.  Any  finite  computation  is  necessarily  fair. 

In  the  absence  of  semaphore  instructions,  each  process  P<  is  initially  enabled  and  can  become 
disabled  only  by  terminating.  Hence  we  can  define  the  weaker  notion  of  just  computation,  which 
replaces  the  requirement  of  being  enabled  an  infinite  number  of  times  by  the  requirement  of  being 
continuously  enabled. 

A  computation  a  is  just  if  there  is  no  process  P,  such  that  Pi  is  continuously  enabled  beyond 
a  certain  state  s  in  a,  and  Pt-  is  activated  only  finitely  many  times.  Any  finite  computation  is  by 
definition  just. 

We  denote  the  classes  of  all  fair  and  just  computations  of  a  program  P  with  precondition  <p 
by  T(<p,  P),  J(<p,  P)  respectively,  or  7(P),  J(P)  when  the  precondition  <p  is  implicitly  understood. 

For  an  arbitrary  program  P  we  have  in  general 


/(P)  C  J(P), 


ie.,  every  fair  computation  is  also  just,  but  there  may  exist  just  computations  which  are  unfair. 

To  sec  that  the  first  claim  holds,  let  a  be  a  fair  computation.  Let  Pi  be  any  process  that  is 
continuously  enabled  beyond  a  certain  state  in  a.  Thus,  Pt-  is  certainly  enabled  an  infinite  number 
of  times,  and  by  fairness  must  be  activated  an  infinite  number  of  times.  Hence  a  is  just. 


To  show  that  the  inclusion  between  the  sets  ?{P)  and  J(P)  may  be  strict  consider  the  following 
program  which  is  the  simplest  program  modelling  mutual  exclusion: 


Iq  :  requeat[y) 
li  :  rcleaae(y) 
fj  :  go  to  Iq 


mo  :  requeat(y) 
mi  :  relea8e[y) 
m2  :  go  to  mo 


-Pi~ 


— Pa  — 


The  following  computation: 

o  :  (*o,m0;l) — - 


Pi  Pi 

♦  (<1 ,  mo;  0) - >  (4j,  m0;  1) - ► 

Pi  Pi 

(fo,rn0;l) - >(^i."»o;0) - >(/a,m0;  l) 


is  just.  The  process  Pi  is  activated  infinitely  many  times.  On  the  other  hand  P2  is  never 
continuously  enabled  since  it  is  disabled  in  the  infinitely  recurring  state  mo;  0),  therefore  justice 
does  not  require  it  to  be  activated  at  all.  Obviously  o  is  unfair  since  P2  is  also  enabled  infinitely 
many  times  on  all  recurrences  of  (lotTOo;  1),  but  is  never  activated. 

However  when  P  contains  no  semaphore  instructions  we  may  use  the  above  observation  that 
a  process  is  continuously  enabled  ir  and  only  if  it  is  enabled  infinitely  many  times,  to  conclude: 

For  a  program  without  semaphores:  7{P)  =  «7(P). 


Thus,  in  order  to  study  programs  without  semaphores,  we  need  only  consider  properties  that  hold 
for  the  class  of  all  just  computations; 

PROGRAMS  WTTIIOUT  SEMAPHORES  -  JUST  COMPUTATIONS 

In  this  section  we  present  a  proof  principle  enabling  us  to  prove  eventuality  properties  that 
hold  for  the  class  of  just  computations  J(P). 

The  basic  idea  of  the  proof  principle  is  to  assign  a  convergence  function  u  :  S  — »  W  mapping 
the  program  states  into  a  well-founded  structure  W.  However,  as  shown  in  examples  such  as  the 
DGCD  program  above,  we  should  not  require  the  function  to  decrease  at  every  step.  Instead  we 
require  that  the  function  never  increases  and  that  for  each  state  there  is  always  a  process  l\,  called 
the  helpful  process  for  this  state,  such  that  the  activation  of  this  process  guarantees  a  decrease 
in  the  value  of  the  function.  By  justice  this  helpful  process  will  eventually  be  scheduled,  so  that 
any  infinite  just  computation  will  necessarily  generate  an  infinitely  decreasing  subsequence  of  well- 
founded  elements  -  a  contradiction.  In  the  general  case,  the  identity  of  the  helpful  process  may 
vary  from  state  to  state.  We  therefore  introduce  a  helpfulness  function  h  :  S  -*  {1,  . . .  ,m}  that 
identifies  one  helpful  process  Ph.(a)  for  each  state  s  £  5. 

We  suggest  the  following  proof  method  for  proving  precedence  and  eventuality  properties  of 
ju?t  computations. 

Proof  Method  J: 


For  proving  eventualities  of  the  form  ip  D  Oi/>t  under  all  just  computations  of  a 
program  P,  find  a  state  predicate  Q  —  Q(s),  a  well-founded  structure  (W,  >-),  a 
convergence  function  u  :  S  -*  W  and  a  helpfulness  function  h  :  S  — ►  {1,  . . .  ,m} 
such  that: 


J l.  ►  <p  3  (V1  V  Q) 

J2.  N  Q(s)  D  (gh(a){s)  7^  <f>) 


J 3.  N  [Q(s)  A  a'  €  </»(«))  3  M*')  V  (Q(b')  A  (u(»)  >;  «(8;)))) 


for  t  =  1,  . . .  ,m 


Ji.  N  [Q(»)  A  e  ff/q.jls)]  D  [V>(«')  V  (u(s)  ^  u(s'))) 

J5.  *  (Q(e)  A  s'  £  A  (ti(s)  =  u(s'))]  O  [^(»')  V  (h(s)  =  h(»')) J 

for  t  =  1 ,  . . . ,  7TO. 

Then  we  may  conclude  that: 


J(P)  N  <p  D  O  i>. 


In  these,  Q(»)  is  an  invariant  which  is  expected  to  remain  true  from  the  time  <p  becomes  true 
until  ip  is  realized.  Requirement  J  t  states  that  if  <p  holds  Tor  a  state  then  cither  ip  or  Q  must  hold 
in  this  state.  J 2  requires  that  the  process  that  is  helpful  for  a  state  s  be  enabled  on  s.  J 3  states 
that  each  step  in  the  computation  either  realizes  ip  or  preserves  Q  and  produces  a  value  of  u  that 
is  not  higher  than  the  value  before  the  step.  JA  states  that  taking  a  helpful  step  actually  decreases 
the  value  of  u.  J 5  states  that  a  step  which  docs  not  decrease  the  value  of  u  must  preserve  the 
identity  of  the  helpful  process.  The  last  condition  is  necessary  in  order  to  avoid  an  infinite  sequence 
with  constant  value  of  u  and  continuously  changing  h.  Such  a  sequence  may  be  just  but  yet  avoid 
realizing  ip. 

Proof: 

Let  us  justify  this  proof  method  by  showing  that  if  we  succeed  in  finding  Q,  W,  u  and  h  as 
described  above  then  indeed  every  just  computation  must  satisfy  <p  D  Oip. 

Let  us  consider  a  juat  computation: 

Pi,  Pi, 

o  :  «o  - *  ai  - *  8i  - >  . . . , 

such  that  ip(8 o)  is  true  and  ip  is  nowhere  realized.  By  J 1  and  J 3,  Q(»,)  must  be  true  for  every 
in  the  sequence.  By  J 2  the  sequence  must  be  infinite  since,  for  every  »i,  P/,(a.)  *s  enabled.  Again 
by  J3  the  sequence  of  u  values  u(so)  ^  u(«i)  ^  ...  must  be  a  non-increasing  sequence.  By  the 
wcll-foundcdncss  of  W  there  must  be  a  A:  such  that 

«(»*)  =  «(**+ 1)  =  •  •  • 

By  J 5,  h  also  remains  constant  from  a*  on,  that  is 
h(sfc)  —  M«fc+i)  ==•••• 

Let  its  constant  value  be  r  =  h(sfc).  In  view  of  JA,  PT  was  never  activated  beyond  because 
its  activation  would  have  caused  u  to  decrease.  In  view  of  J 2,  Pr  is  continuously  enabled  beyond 
»fc  since  everywhere  h(si)  —  r  for  i  >  k.  This  is  obviously  a  blatant  case  of  injustice  -  Pr  being 
continuously  enabled  and  never  activated.  Thus,  just  sequences  failing  to  realize  ip  cannot  exist, 
and  any  just  sequence  initialized  with  <p  must  eventually  realize  ip.  | 

By  looking  at  the  proof  for  eventualities  we  observe  that  it  guarantees  the  eventual  realization 
of  ip  and,  by  Jl  and  J 3,  as  long  as  ip  is  not  realized,  Q  holds.  This  is  exactly  the  definition  of  the 
until  expression  QUip.  We  therefore  have: 

Corollary:  The  proof  method  J  also  proves 
J{P)  N  ip  D  (QUip). 

The  treatment  in  (LPS]  implies  that  this  method  is  also  complete,  namely  that  if  <p  D  O  ip  is 
true  for  all  just  computations  of  P  then  there  always  exist  some  Q,  W,  u,  and  h  satisfying  Jl  —  J 5. 

Related  work  dealing  with  similar  methods  for  establishing  fair  termination,  which  is  a  special 
case  of  eventuality,  is  contained  in  [GFMR],  [AO]  and  [Pa].  Earlier  work  on  the  termination  of 
concurrent  programs  is  described  in  [K],  [Pn]. 

We  will  now  proceed  to  illustrate  the  application  of  this  method  to  proofs  of  eventuality 
properties  of  programs  without  semaphores. 
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Example  A  (Program  DGCD  —  distributed  ged  computation): 

Consider  again  the  DGCD  program.  Let 

(p:  att0  A  at  mo  A  {in, Vi)  =  (xi ,  xa)  A  *1  >  0  A  x2  >  0 

and 

at/o  A  a*m0  A  l/i  =  ite  =  9cd(xi,x2). 

We  wish  to  prove 

N  ip  D  OV»i 

i.«., 

J(P)N  (at/0  A  atm0  A  (2/1 » 2/2)  =  (it, x2)  A  Z|  >  0  A  12  >  0) 

D  O[at/o  A  atm0  A  yi  =  2te  =  x2)]. 

That  is,  being  at  the  starting  point  oF  the  program  with  (2/1, 2/2)  =  (*1,12)  and  positive  inputs 
x\  >  0,  x2  >  0,  we  are  guaranteed  to  eventually  get  back  to  that  point  with  y\  being  the  greatest 
common  divisor  of  xi,x2. 

We  choose  Q,  W,  u ,  and  h  as  Follows: 

Q(s)  :  atl0  A  atm0  A  yi  >  0  A  >  0  A  gccf(2/i,  1/2)  =  gcd(xi,x2)  A  yi  7^  2/2 

W  :  (N,  >)  -  the  nonnegative  integers  with  the  “greater  than”  relation 

«(»i  ,2/2):  yi+ya 

h(yity2)  :  if  V\  >  2/2  then  Px  else  P2 

We  have  intentionally  displayed  h  as  a  Function  into  {Pi,  P2}  rather  than  {1,2}  to  stress  the  fact 
that  it  selects  processes,  (t  is  not  difficult  to  verify  that  requirements  J 1  to  .75  hold  for  this  choice 
or  Q,  W,u,  and  h.  In  particular,  we  note  that  Q  implies  that  when  y\  >  y2,  P\  is  helpful  in 
decreasing  y  1  +  y2  while  for  y\  <  y2  (by  Q  :  y\  <  y2)  P2  is  helpful.  Note  that  once  we  arc  at 
(to, mo)  with  yi  =  y2  the  program  will  immediately  proceed  to  the  termination  state  at  (£i,mi). 

AN  INDEXING  METHOD  FOR  JUST  COMPUTATIONS 

A  variant  of  the  convergence  function  approach  uses  elements  of  well-founded  sets  jus  indices  to 
predicates.  As  we  will  show  below  the  two  variants  are  essentially  equivalent,  but  certain  problems 
may  admit  proofs  that  arc  easier  to  present  in  the  indexed  form  than  in  the  convergence  function 
form.  As  before,  the  method  is  based  on  finding  a  well-founded  set  (V ,  >-).  We  then  consider 
predicates  Iiv(s)  with  v  €  V ,  a  6  5  which  are  state  predicates  indexed  by  elements  of  V.  States 
appearing  later  in  the  computation  will  satisfy  Rv  with  lower  values  of  v.  Convergence  is  therefore 
assured  by  the  impossibility  of  having  a  sequence  of  Itv.  with  an  infinitely  decreasing  values  of  v,. 
However,  as  before  we  cannot  guarantee  a  strict  decrease  on  every  step.  Wc  therefore  specify  a 
decrease  function  6  :  V  — »  {1,  . . .  ,m}  which,  similarly  to  the  helpfulness  function  h,  identifies  the 


For  proving  eventualities  of  the  form  <p  D  O  ip,  under  all  just  computations  of  a 
program  P,  find  a  well-founded  structure  (V,  >-),  an  indexed  family  of  predicates 
Rv  =  Rv(s),  v  £  V,  and  a  decrease  function  6  :  V  -*  {1,  . . .  ,m}  such  that: 

IJ 1.  *  tp  D  [tp  V  (3v  £  V./?„)] 

-i 

IJ2.  N  3  (gn»){s)  7^  <p) 

IJ2.  N  [i?„(s)  A  s'  £  3  M**)  V  3ti(u  <  v)./f„(s')]  for  t  =  1,  ...,m 

[J4.  N  [/*„(«)  A  s'  £  <7i(„)(s)]  3  [ip(s')  V  3u(u  -<  t>)./?„(8')] 

Then  we  may  conclude  that 

•/(/>)►■  <p  3  Oip. 

A  stronger  conclusion  is: 

J(P)  *=  <p  3  (3 v.Rv)  U  ip. 

Requirements  IJl-IJi  resemble  very  closely  JI-J4  and  fulfill  similar  roles.  There  is  no  need 
for  a  counterpart  to  J 5  since  if  s  satisfies  /?„(»),  s'  £  <7,(«)  and  also  Rv(s')  then  the  decreasing 
process  for  s,  being  determined  by  v  alone,  is  also  the  decreasing  process  for  s'.  The  proof  method 
IJ  appeared  first  in  a  structured  form,  applied  to  nondetcrministic  programs  ([GFMlt]). 

The  similarity  between  the  methods  suggest  that  they  are  in  fact  equivalent.  Indeed  we  make 
the  following  claim: 

Method  J  is  applicable  if  and  only  if  method  IJ  ’’  applicable. 

Proof. 

Assume  first  that  method  J  is  applicable.  This  means  that  we  have  found  Q,  ( W ,  >-),  u  and 
h  satisfying  requirements  J l  to  J 5.  To  show  that  this  implies  the  applicability  of  IJ  we  choose  as 
follows: 

The  well-founded  structure  (F,  >-y)  is  given  by  V  —  W  X  [1,  . . . ,  m],  where 

(twi,t)  >~y  (u>2 ,j)  <=*  wi  >-vv  ^2  or  (ti>i  =  u>2  and  i  >  j). 

Thus,  an  clement  of  V  is  a  pair  (u>, t)  with  w  £  W  and  1  <  t  <  m,  and  the  ordering  >-y  is  the 
lexicographic  ordering  induced  by  the  ordering  on  W  and  on  the  natural  numbers. 

/?{W(i)(«)  18  dcJin0(1  by  Q(s)  A  [«(»)  =  w)  A  [h(s)  =  i] 


£ 

* 

>  •*. 

?• 

!» 


and 


6{w,  i)  =  i. 


It  is  an  easy  matter  to  verify  the  fulfilment  of  requirements  IJl  to  IJ 4.  Consider  for  example 
the  verification  of  condition  IJ 3. 

Let  a,  a'  be  two  states  such  that  /?(«,, jj(«)  holds  and  s'  G  g»(«).  By  the  definition  of  R  we  know 
that  Q(s)  is  true  and  u(s)  =  w,  h(a)  =  j.  By  J 3  either  ip(a')  is  true  which  immediately  satisfies 
7J3,  or  Q(s')  holds  and  w  =  u(s)  >  u(8')  =  w'.  Thus,  by  the  definition  of  R,  Il(w' lh(s')){s')  13 
true.  It  remains  to  show  that  ( w,j )  =  (t0,h(s))  ^  (w',h(a')).  If  w  >-  w'  then  this  is  certainly  the 
case.  Consider  therefore  the  possibility  that  w  =  w'.  But  then  by  J 5  also  h(s)  =  h(s')  leading  to 
(w,  /»(«))  =  (w' ,  /»(«'))  as  required. 

To  go  in  the  other  direction  assume  that  (V,  >-),  Rv  and  6  as  required  for  method  IJ  have 
been  found.  We  will  show  how  to  select  Q,  [W,  >-),  u  and  h  that  will  satisfy  the  requirements  of 
method  J . 

For  simplicity  we  assume  that  the  order  >-  is  a  total  (linear)  order.  We  may  then  take  the 
well-founded  structure  (V ,  >-)  to  be  (W,  >-).  Q[a)  is  defined  by  3v.Rv(s)  and  u(»)  is  given  by 
mtn{w|/?u(s)}  for  an  s  which  satisfies  Q  and  arbitrarily  otherwise.  If  W  is  a  total  well-founded 
order  every  non  empty  subset  of  W  has  a  minimal  clement  which  is  smaller  than  any  other  element 
of  the  set.  The  helpful  function  h(s)  is  defined  as  6(«(s}). 

It  is  an  easy  matter  to  verify  that  Q,  u,  and  h  satisfy  requirements  J 1  to  J 5.  | 


DIAGRAM  REPRESENTATION  OF  TIIE  INDEXING  METHOD 


In  the  case  that  the  indexing  set  V  is  finite  there  is  a  convenient  graph  representation  of  the 
indexing  method.  This  is  certainly  the  case  when  the  program  P  has  only  finitely  many  possible 
states. 

In  the  graph  or  diagram  representation  there  is  a  node  nv  for  each  RV)v  €  V.  Without  loss  of 
generality  we  may  assume  V  to  be  an  initial  segment  of  the  natural  numbers  V  =  {1,2,  . . .  ,k}. 
Thus  we  have  nodes  n»,  t  =  I,  . .  .  ,  k.  A  special  node  no,  represents  ip.  For  every  a  €  Hi,  s'  €  Rj 
( t.e .  Ri(a)  =  Rj(s')  =  true )  such  that  a'  £  we  draw  an  edge  e  from  to  n}.  The  edge  e  is 

labelled  by  Pi,  the  process  effecting  the  transition.  Similarly,  for  every  a  £  Ri,  s'  £  ip  such  that 
G  we  draw  an  edge  from  to  no  and  label  it  by  Pi. 

In  order  for  a  diagram  to  represent  a  valid  proof  by  method  IJ  the  following  conditions  must 
hold: 

A.  For  every  edge  connecting  n,  to  n}  we  must  have  i  >  j. 

B.  For  every  n*,  i  >  0,  there  must  exist  some  Pt  (the  helpful  process)  such  that  all 

edges  labelled  by  Pi  lead  from  n,  to  some  n7  with  »  >  j  and  such  that  Pi  is 
enabled  on  all  states  a  £  Ri. 

In  the  diagram  we  represent  edges  corresponding  to  the  helpful  process  by  double  arrows  =>. 


\4 


I 


We  illustrate  diagram  proofs  by  two  additional  examples. 


Example  B  (The  Peterson-Fischcr  Algotuinn  (PE)  —  a  distributed  solution  of  the  mutual  exclusion 
problem): 

Vi  :=  :==  Va  :=  <a  :=  -L 


to  :  noncritical  section  1 

mo  : 

noncritical  section  2 

li  :  fj  :=  if  ya  =  F  then  F  else  T 

mi  : 

:=  if  Vi  —  T  then  F  e 

/a  :  Vi  :=  <1 

m3  : 

ya  :=  fa 

Is  :  ify 3  ^  -1  then  fi  :=  y2 

m3  : 

ifyi  5^  X  then  fa  :=  ~>yi 

e4  :  yi  :=  tt 

m4  : 

y2  :=  fa 

:  loop  while  yi  =  ya 

m5  : 

loop  while  ->ya  =  yi 

tf  :  go  to  to 

-Pi  - 


mi  :  go  to  mo 
-P„- 


This  program  provides  a  distributed  solution  for  achieving  mutual  exclusion  without  sema¬ 
phores;  the  boxed  segments  are  the  critical  sections  to  which  we  wish  to  provide  exclusive  access. 
It  is  assumed  that  both  critical  and  noncritical  sections  do  not  modify  the  variables  j/i  and  3/2 • 
Also,  it  is  mandatory  that  the  critical  section  itself  must  terminate.  The  program  is  distributed  in 
the  sense  that  each  process  Pi  has  its  own  memory  y<  which  is  readable  by  the  other  hut  writable 
only  by  itself. 

The  basic  idea  of  the  protection  mechanism  of  this  program  is  that  when  competing  for  the 
access  rights  to  their  critical  sections,  Pi  attempts  to  make  yi  =  y2  by  the  statements  t\  to  /4 
while  Pj  attempts  to  make  j/a  =  ->yi  in  statements  mi  to  m4.  The  synchronization  variables  j/j 
and  ya  range  over  the  set  {X,  F,  T),  where  -L  signifies  no  interest  in  entering  the  critical  section. 
The  partial  operator  -1  is  defined  by 

->T  =  F,  -1 F  —  T,  -»  -L  is  undefined. 

Hence  in  writing  ->y2  —  y\  we  also  imply  that  yi  7*=  X  and  ya  7^  -L.  Protection  is  assured 
essentially  by  the  exclusion  of  the  entry  conditions  y\  7^  ya  and  ->ya  7*=  yi  when  both  yi  and  ya 
are  different  from  X,  since  yi  X  when  P,  is  waiting  to  enter  its  critical  section. 

A  point  unique  to  this  algorithm  is  that  although  P|  attempts  to  establish  the  condition  yt  = 
ya  in  ty  to  l*,  the  condition  for  Pi  actually  entering  the  critical  section  is  the  complementary 
condition  yi  ^  ya.  Thus,  if  both  processes  actively  compete  for  entry,  Pi  sets  yi  equal  to  ya 
and  then  waits  for  the  other  process  to  set  ya  to  a  value  different  from  y|.  If  Pa  is  not  currently 
interested  in  gaining  access  to  the  critical  section,  then  ya  =  X  which  will  cause  the  statements 
in  t\  to  I4  to  set  yi  to  T\  testing  at  1 5,  P\  will  find  that  indeed  yi  =  T  7^  ya  =  X  and  enter 
immediately. 

Dy  simple  application  of  the  invariance  principle  it  is  possible  to  derive  the  following  invariants: 

W  (*i  ^  X)  =  otl2..i 
*  [yi  ^  ±)  =  ate 3..S 


I- 

m 


Figure  I . 

Diagram  Proof  for  PF 
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■  -w  »  ’'w  •%. ,  v  \  k  »  ‘  *  .  ■  -  •  - 


»  (t2  7^  -L)  =  OtW»2..6 

*  (Vi  7^  -L)  =  atm3.'t, 

where  at/2..s  stands  for  ati3  V  af/3  V  ...  V  atZ$,  etc. 

The  eventuality  property  we  wish  to  show  for  this  program  is 

*  atti  D  O  att3. 

In  Figure  1  we  present  a  diagram  proof  for  this  property.  In  constructing  the  diagram  we  have 
freely  used  the  four  invariants  derived  above.  Observe  in  particular  node  number  6 

6:  l3, mo 

in  which  the  helpful  process  (indicated  by  a  double  arrow  =♦)  is  Pi  since  we  know  that  y3  —  X. 
In  this  diagram  we  abbreviate  af/5  A  at  mo  to  t3,mo. 

To  illustrate  the  application  of  method  IJ  to  the  proof  of  until  properties,  consider  the  following 
precedence  property: 

N  [at/s  A  ~  afm4..e]  3  [(~  atme)  Zi  (at /$)]. 

It  states  that  if  Pi  arrived  at  Z5  before  P3  arrived  at  any  location  in  {wi4,m5,iTn}  then  Pi  will 
be  admitted  first  to  its  critical  section.  To  prove  this  we  only  have  to  consider  the  subdiagram 
consisting  of  nodes  0  to  7.  Certainly, 

[at/5  A  ~afm4,.e]  D  [Jfy  V  #8  V  R5  V  R\  V  7/3]. 

Therefore  this  is  an  admissible  diagram  in  the  sense  that  condition  IJ\  is  satisfied.  It  establishes 
that  at/e  will  eventually  be  realized  and  all  the  intermediate  states  are  covered  by  Vj=i  72*  which 
implies — atm6.  | 

Example  C  (The  Dekker  program  (DK)  -  a  shared  variable  solution  of  the  mutual  exclusion 
problem): 


<:=  1, 

Vi  :=  Vi  := 

F 

1 0  : 

noncritical  section  1 

mo  : 

noncritical  section  2 

Zi: 

Vi  ~T 

mi  : 

Vi  '=  T 

t3  : 

if  1/2  =  P  then  go  to  Z7 

m2  : 

ifyi  =  F  then  go  to  m? 

*3  : 

ift  —  1  then  go  to  t3 

m3  : 

if  t  =  2  then  go  to  m3 

t*: 

V\  ■—  F 

m4  : 

Vi  ■=  F 

/  5  • 

loop  until  t  =  1 

m5  : 

loop  until  t  =  2 

/«  : 

go  to  t\ 

m6  : 

go  to  mi 

/(  :  go  to  Iq  m3  : 

n  D 


Z7  :  critical  section  1 

t  :=  2 

*8  »  Vi  :=  F _ 


m7  : 

critical  section  2 

t:=  1 

m8  : 

Vi  ■=  F 

go  to  mo 


26  :l|  ,t=2 


15  :<4  ,t«l 
14  :l5  ,t*l 


l5fm5,t=2 


l9*m6,i*Z 


10  :J2,3im8»t*l 


ls»rn2  4S2 


*5,m7,t=2 


3*m9 


fs _ <0^2 

8  :*3,m0  ,t  =  I 

P2 


7  :12  ,m0  ,t*l 


8  :J2,3*mnta| 

I  Pa  ^ 

5  :i2  3,m2,t't 

ip*  12 

4  :«2(S,m3,»»l 


The  variable  y\  in  process  P\  (and  y%  in  l\  respectively)  is  set  to  T  at  Z j  to  signal  the  intention 
of  Pi  to  enter  its  critical  section  at  t7.  Next  I\  tests  at  Za  whether  l\  has  any  interest  in  entering 
its  own  critical  section.  This  is  tested  by  checking  if  yg  =  T.  If  y7  =  F,  I\  proceeds  immediately 
to  its  critical  section.  If  y2  —  T  we  have  a  competition  between  the  two  processes  on  the  access 
right  to  their  critical  sections.  This  competition  is  resolved  by  using  the  variable  t  (turn)  that  has 
the  value  1  if  in  case  of  conflict  Pi  has  the  higher  priority  and  the  value  2  if  P2  has  the  higher 
priority.  If  I\  finds  that  /  =  1  it  knows  it  is  its  turn  to  insist  and  it  leaves  y\  on  and  just  loops 
between  l7  and  Z 3  waiting  for  y 2  to  drop  to  F.  If  it  finds  that  2  =  2  it  realizes  it  should  yield  to 
P2  and  consequently  it  turns  y\  ofT  and  enters  a  waiting  loop  at  Z5,  waiting  for  2  to  change  to  1. 
As  soon  as  P2  exits  its  critical  section  it  will  reset  2  to  1  so  Pi  will  not  be  waiting  forever.  Once  2 
has  been  detected  to  be  1,  Pi  sets  3/1  to  T  and  returns  to  the  active  competition  at  1%. 

For  the  DK  program  we  wish  to  show: 

»  atl\  D  Oatt7. 

In  Figure  2  we  present  a  diagram  proof  of  this  property.  In  constructing  the  proof  we  made  use  of 
some  invariants  that  are  easily  derivable,  namely: 

N  (yi  =  T)  =  {atl2..4  V  atlj's) 

*  (2/2  =  T)  —  (a*m2..4  V  atm7i8) 

►  (<*f^3..6  A  1=2)  D  atm  1...7. 

For  example,  we  used  the  last  invariant  in  order  to  decide  that  at  node  23  the  Pi  successors 
to  states  in  which  att4  A  [t  —  2)  may  be  anywhere  but  at  m0,  m8  or  mg. 

Again  we  may  use  the  extension  of  the  method  in  order  to  prove  some  precedence  properties 
of  this  program.  First  we  can  show: 

N  [02/2,3  A  (t  =  1)  A  ~  atm7\  D  [(~  atm7)  U  (af/7)]. 

This  is  established  by  considering  the  subdiagram  formed  out  of  nodes  no  to  nio-  It  ensures  that 
once  Pi  is  in  ^,3  with  2  =  1,  it  will  precede  P 2  in  getting  to  the  critical  section.  An  almost  trivial 
observation  is  that 

*  atm8  D  [(2  =  1)  U  (o2/7)]. 

In  analyzing  the  amount  of  overtaking  by  which  P2  can  precede  Pi  in  entering  the  critical 
section  we  find  the  following: 

Once  Pi  is  in  t\  it  will  eventually  get  to  lg.  If  currently  2=1,  then  the  next  process  to  enter 
its  critical  section  is  P\.  Otherwise,  in  the  worst  case  P\  proceeds  from  tg  to  (5.  P7  cannot  enter 
its  critical  section  more  than  once  without  setting  2  to  1.  Once  2  =  1,  Pi  returns  to  Zj  ensuring 
its  priority  on  the  entrance  rights  to  the  critical  section.  A  certain  amount  of  overtaking,  i.e.,  P7 
entering  its  critical  section  several  times  before  P|,  may  take  place  during  the  transition  of  !\  from 
Zs  to  Z2.  | 


PROGRAMS  WITH  SEMAPHORES  -  FAIR  COMPUTATIONS 


Next  we  will  consider  programs  with  semaphore  instructions.  For  such  programs  the  classes 
of  just  and  fair  computations  do  not  coincide  and  we  have  to  go  back  to  consider  the  more  general 
concept  of  fair  computations.  Since 'always  7(P)  C  J{P),  any  property  that  has  been  proved 
correct  by  method  J  certainly  holds  for  all  fair  computations.  However,  the  completeness  of 
method  J  breaks  down  in  the  case  of  programs  with  semaphores;  we  are  not  always  guaranteed 
that  method  J  is  applicable. 

Hence,  we  propose  a  more  general  method  for  establishing  eventuality  properties  under  fair 
computations: 


Proof  Method  F : 


For  proving  eventualities  of  the  form  <p  D  Oil),  under  all  fair  computations  of  a 
program  P,  find  a  state  predicate  Q,  a  well-founded  structure  (W,  >-),  a  convergence 
function  u  :  S  — *  W  and  a  helpfulness  function  h  :  S  —*  { 1,  . . .  ,m)  such  that: 


FI.  W  ip  D  (V>VQ) 

F2.  7(P  -  {Pk})  h  [Q(s)  A  h(s)  =  k]  D  Oty  V  (flk(a)  ^  *)] 

for  k  =  1,  . . .  ,m 

F3.  »  [Q(a)  A  s' e  D  [V»(»')  V  (Q(s')  A  (u(a)  >  u(s')))] 

for  t  —  1,  . . .  ,m 


F4.  W  (Q(«)  A  s'  E  3  [V’ta')  V  («(»)  >■  «(«'))] 


F5.  ►  (Q(«)  A  a'  €  ffi(s)  A  («(a)  =  «(»'))]  D  [ip(s')  V  (h(a)  =  /i(a'))] 

for  t  =  1, 


Then  we  may  conclude  that 


A  stronger  conclusion  is: 


7{P)  N  <p  D  0 1/>. 
7[P)  N  <P  d  (Q  U  ip). 


,m. 


The  requirement  imposed  by  F 2  is  that  under  all  fair  computations  of  P  —  {Pfc},  the 
program  consisting  of  all  processes  excluding  Pfc,  if  Q(s)  holds  and  the  helpful  process  is  k  then 
eventually  cither  tj)  will  be  realized  or  gi,  becomes  enabled. 

The  difference  between  method  F  and  method  J  is  in  the  second  requirement  F2.  While 
J 2  requires  that  the  helpful  process  is  enabled  now,  F 2  only  assures  that  it  will  be  eventually 
enabled.  The  apparent  disadvantage  of  F 2  in  comparison  with  J 2  is  that  while  J 2  (and  all  the 
other  requirements)  are  static,  requiring  only  classical  reasoning  for  their  establishment,  /*’ 2  is  a 
temporal  requirement,  having  the  same  form  as  the  conclusion  we  set  out  to  prove:  <p  D  Oip.  Two 
obvious  questions  arise:  how  do  we  prove  F 2,  and  is  there  a  danger  of  circular  reasoning? 

The  answer  to  both  questions  lies  in  the  prefix  to  the  N  sign.  Since  our  goal  predicate  in  F 2  is 
Qk(s)  7^  <t>  which  expresses  the  fact  that  l\  is  enabled,  we  may  omit  from  our  considerations  any 
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action  of  Pk,  because  such  an  action  may  be  taken  only  when  Pk  is  enabled,  i.e.,  from  a  goal  state. 
Thus  we  can  consider  fair  computations  in  which  all  the  processes  but  Pk  participate  and  show 
that  they  eventually  get  to  a  state  in  which  P fc  is  enabled.  Consequently,  we  can  study  a  simpler 
program  with  one  process  less.  The  answer  to  the  question  of  how  to  verify  clause  F2  is  therefore 
recursively  by  method  F,  but  applied  to  a  simpler  program  in  which  Pk  is  omitted. 

To  justify  method  F  consider  a  fair  computation: 

Pii  Pit 

a  :  So  - >  81  - >  82  •  •  • , 

such  that  £>(s0)  is  true  and  tp  is  never  realized.  By  FI  and  F 3,  Q(st)  must  be  true  for  every  s,  ifi  the 
sequence.  By  F 2  the  sequence  must  be  infinite,  since  it  implies  that  either  already  gk(si)  <p  and 
the  sequence  cannot  stop  there,  or  that  there  exists  a  future  state  s7  for  which  ip  V  (g*(»y)  ^  <P)- 
Consequently  s*  cannot  be  terminal.  By  F 3  the  sequence  of  values  u^),  u(b2),  .  .  .  satisfies 

u(si)  ^  ti(sa)  •  •  •  and  by  being  well-founded  it  must  eventually  stabilize,  let  us  say  at  sr,  *.e., 

u(sr)  =  u(8r+i)  =  . . . . 

From  F 5  this  implies  a  constant  value  of  the  h  function  as  well,  i.e., 
h(sr)  —  h(sT+i)  =  ...  —  k. 


Since  the  u  value  is  constant  beyond  sr,  Pk  by  FA  could  not  have  been  activated.  Thus  the 
sufTix  sequence 

8r»  8r+l>  •  ■  ■ 

is  a  fair  computation  of  P  —  {Pfc}.  By  F 2,  Pk  must  be  enabled  somewhere  in  it.  By  considering 
higher  suffixes  we  can  establish  that  gk  is  enabled  an  infinite  number  of  times  but  never  activated. 
Thus  a  must  be  unfair.  | 

In  [M'S]  it  is  proved  that  method  F  is  complete  for  proving  eventuality  properties  for  the  class 
of  all  fair  computations  of  a  program. 

AN  INDEXING  METHOD  FOR  FAIR  COMPUTATIONS 


Similarly  to  the  case  of  just  computations  we  can  present  a  well-founded  indexing  variation  of 
the  principle  proposed  above. 


Proof  Method  IF: 


For  proving  eventualities  of  the  form  <p  D  under  all  fair  computations  of  a 

program  P,  find  a  well-founded  structure  (V,  >-),  an  indexed  family  of  predicates 
Rv  =  Rv{*)>  v  €  V,  and  a  decrease  function  6  :  V  — ►  {1,  .  . .  ,  m}  such  that 
IF  1.  ►  tp  O  (V>  V  3v(v  £  V)./?„] 

IF2.  7{P-{Ps(v)})¥  Rv(a)  D  Oty  V  (ww(«)  ^  *)] 

IF3.  (P„(s)  A  a'  €  0.(s)j  D  [^(a')  V  3u(u  ■<  u).i?u(s')J  for  *  =  1,  ...  ,m 

IFA.  [/?„(»)  A  s'  G  ^(„)(a)j  D  \4>(a')  V  3u(u  -<  w)./?tl(a,)|. 

Then  we  may  conclude  that 

7(P)  N  p  3  O  ip, 

A  stronger  conclusion  is: 

7{P)  1=  <p  3  (3 v.Rv)  U  ip. 

Similarly  to  the  previous  case  we  can  establish  the  equivalence  between  this  method  and  the 
one  based  on  convergence  functions.  This  variation  lends  itself  easily  to  a  diagram  representation 
in  the  finite  state  case. 

We  will  proceed  to  illustrate  the  application  of  method  F  to  proofs  of  eventuality  properties 
of  programs  with  semaphores. 

Example  D  (Program  CP  —  consumer-producer): 


b  :=  A,  8  :=  1,  cf  :=  0 

jl 

t0  :  compute  y\ 

mo  :  reque8t(cf) 

l\  :  requeat(ce) 

mi  :  requests) 

li  :  requests) 

m2  :  1/2  head(b) 

lz  :  <1  :=  6  •  yi 

m3  :  tz  :=  tail{b) 

II 

n>4  :  b  <2 

I5  :  releaae(s) 

ms  :  release[a) 

la  :  relen8e(cf) 

m3  :  relea8e(ce) 

£7  :  go  to  tQ 

rr»7  :  compute  using 

m3  :  go  to  mo 

—Pi  :  Producer  — 

—Pa  t  Consumer  — 

The  producer  P i  computes  at  to  a  value  into  y\  without  modifying  any  other  shared  program 
variables.  It  then  adds  j/i  to  the  end  of  the  bulTcr  b.  The  consumer  P 2  removes  the  first  clement 
of  the  buffer  into  y$  and  then  uses  this  value  for  its  own  purposes  (at  JTI7)  without  modifying  any 
other  shared  program  variable.  The  maximal  capacity  of  the  buffer  6  is  N  >  0. 
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In  order  to  ensure  the  correct  synchronization  between  the  processes  we  use  three  semaphore 
variables:  The  variable  s  ensures  that  the  accesses  to  the  buffer  arc  protected  and  provides  exclusion 
between  the  critical  sections  /3.,5  and  m2„5.  The  variable  ce  (“count  of  empties")  counts  the  number 
of  free  available  slots  in  the  buffer  b.  It  protects  b  from  overflowing.  The  variable  cf  (“count  of 
fulls")  counts  how  many  items  the  buffer  currently  holds.  It  ensures  that  the  consumer  does  not 
attempt  to  remove  an  item  from  an  empty  buffer. 


Here  we  wish  to  show  that 


N  att\  O  O  at  1$. 


We  start  by  presenting  a  top-level  diagram  proof: 


Figure  3. 


This  diagram  proof  is  certainly  trivial.  Everywhere,  P\  is  the  helpful  process  and  leads 
immediately  to  the  next  step.  However,  we  now  have  to  establish  clause  IF 2  in  method  IF.  This 
calls  for  the  consideration  of  fair  computations  of  P  —  {A}  =  P2.  We  thus  have  to  conduct  two 
subproofs: 


/(Pa)  &tl\  D  0(ce  >  0) 
/(P2)  H  att2  D  O (a  >  0). 


The  first  statement  ensures  that  if  Pj  is  at  l\,  P2  will  eventually  cause  ce  to  become  positive  which 
is  the  enabling  condition  for  Pi  to  be  activated  at  t\.  Similarly,  in  the  second  statement  P2  will 
eventually  cause  s  to  become  positive,  making  Pi  enabled  at  1%.  For  both  statements  we  will 
present  diagram  proofs. 


Consider  first  the  diagram  proof  for  the  att\  case: 


8:  mT,cf>0l—J7:  m8,cf>0|— *|6:  m0,cf>0 


3*.  m3 


Figure  4. 


In  the  construction  of  this  diagram  we  use  some  invariants  which  are  easy  to  derive.  For 
example,  we  used 


a*^3..5  +  a*m2..6  +  8  —  1 


in  order  to  derive  that  being  at  l\  and  at  m|  implies  s  >  0.  In  an  expression  such  as  the  above 
we  arithmetize  propositions  by  interpreting  false  as  0  and  true  as  I.  As  another  invariant  we  use 


cf  +  ce+  atl  2..e  +  atmi..6  =  N 


in  order  to  deduce  that  being  at  tx  and  at  implies  that  cither  ce  >  0  or  cf  >  0. 


The  diagram  proof  for  li  is  even  simpler: 


31  m« 


2'.m3 


\jr'.  s>0 


Figure  5 


Example  E  (Program  UC  a  distributed  computation  of  the  binomial  coellicicntj: 


Vi  := 

n,  ]/2  :=  0,  1/3  := 

1, 

V4  •=  1 

to  ‘ 

if V\  =  (n  —  k)  then  go  to  l. 

mo  : 

if  i/a  =  k  then  go  to  mt 

in 

requeat(y4) 

mi  : 

Vl  :=  1/2  +  1 

in 

ft  :=  1/3  •  l/j 

mj  : 

loop  until  l/i  +  Vi  <  n 

in 

1/3  :=  <i 

m3  : 

rc(iuest[y4) 

in 

relcase(y4) 

m4  : 

h  :=  1/3 /l/a 

in- 

Vi  :=  l/i  -  1 

m5  : 

1/3  :=  <2 

in 

go  to  Iq 

mg  : 

release(y4) 

in. 

halt 

rr»7  : 

go  to  mo 

m. : 

halt 

-Pi 

— 

-Pa 

— 

This  program  computes  the  binomial  coefficient  (J)  for  integers  n  and  k  such  that  0  <  k  <  n. 
Based  on  the  formula 

(n\_  n  •  (»  —  I)  •  ...  •  (n  —  k  +  1) 

1*2*  ...  •  k 

process  P\  successively  multiplies  y3  by  n,(n—  1),  ,  while  P2  successively  divides  y3  by  1, 2, _ 

In  order  for  the  division  at  m4  to  come  out  evenly,  we  divide  y3  by  y2  only  when  at  least  y2  factors 
have  been  multiplied  into  y3  by  /V  The  waiting  loop  at  mj  ensures  this. 

Without  loss  of  generality  we  can  relabel  the  instructions  in  the  program,  as  follows: 


Program  BC*  -  A  relabelled  version  of  the  Binomial  Coefficient  Program-. 

Vi  •—  n,  pa  :=  0,  1/3  :=  1,  1/4  :==  1 


/7  :  t/i/i  =  (n  —  fc)  ffcen  j/o  fo  /| 

m3  :  if  y%  —  k  then  gc 

fg  :  rcque8t{y 4) 

m2  :  1/2  :=  1/2  +  1 

it, :  ft  :=  1/3  •  Vi 

mg  :  loop  until  1/1+2/ 

U  :  1/3  :=  ft 

m»  :  reguesf(iM) 

<3  :  release(y4) 

m7  :  fa  :=  I/3/1/2 

it  ■  Vl  Vi  - 1 

m#  :  Vs  :=  <2 

:  jo  fo  £7 

mo  :  rclcase(y4) 

£1  :  /ia/f 

m<  :  90  (0  m  3 

mi  :  half 

-Pi- 

-Pi- 

Here  we  wish  to  prove; 

>•  («f{fr»w»3}  A  (vi,P2,P3,V<)  =  (’*,0,1,1)]  D  Oai(/,,m,}. 


We  apply  method  F  with  the  following: 

Q  :  [af/3..5  +  aims..?  +  y\  =  lj 
A  [((n  -  k)  +  af/2..e)<  yi  <  n) 

A  [0  <  }/2  <  (k  ~  atm2)] 

A  [af^i  3  [y\  =  n  -  fc)j 

(I W ,  >):  (N  X  N,  >Ux) 

the  lexicographically  ordered  domain  of  pairs  of  nonnegative  integers 
«(A,w»y;»i.»a) :  [y\  +  *  -  J/2,  »  +  j) 
h(w,  y)  :  if  att\  then  else  Pi 

Obviously  the  label  sequence  was  designed  in  such  a  way  that  every  step  that  moves  to  the  next 
instruction  will  necessarily  decrement  u.  This  is  so  because  the  label  sequence  is  always  decreasing 
except  for  the  instructions  which  decrement  2/1  and  increment  Changes  in  the  y' s  have  been 
given  the  highest  priority  in  the  lexicographical  ordering. 

There  arc  only  two  situations  to  be  checked.  First,  when  P\  is  at  and  P2  is  at  mg  we  have 
to  show  that  the  next  step  indeed  decrements  u.  This  is  so  because  in  such  a  situation  we  are 
assured  by  Q  that  both  y2  <  k  and  y\  =  n—k  hold,  leading  to  y\  +j/2  <  n,  which  means  that  the 
next  step  leads  to  m8.  Another  point  is  to  show  that  being  at  1$  guarantees  that  eventually  will 
become  positive,  by  the  actions  of  P2  alone.  This  is  easily  established  by  the  following  diagram, 
supported  by  Q. 


Closely  related  approaches  but  concentrating  on  nondctcrministic  rather  than  concurrent 

programs  are  described  in  (AOJ  and  [GFMR]. 
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